Wednesday, July 28, 2010

Thanks, Kenny for pointing me to WPA Cracker, an online tool that will help you test your wireless network's security/find your lost network password for a marginal fee.The service is operated by Moxie Marlinspike, an independent security researcher and The Institute for Disruptive Studies.

This is an interesting service. They don't seem to care much who they are "helping" - they don't ask for more than an email address, network capture and the ESSID. You have to pay them using an Amazon account - but if you use a pre-loaded "credit card" and a generic email account, you can protect yourself from casual scrutiny.

WPA Cracker will hit a network with either dictionary or brute force attacks. Dictionary attacks are exactly what they sound like. The attacker has a file - the "dictionary" - that contains any words, phrases, leet-speak, etc that might be used as a password. Dictionary attacks can be very successful because many people use the same passwords. Password, for instance, is one of the most common passwords.

But as successful as dictionary attacks can be, they may not get you access to the account you want because the person is a little more aware, or just plain paranoid, and uses a password generator or creates their own random passwords. While dictionaries can be extensive, they can't cover every possible combination of characters, especially if the password is very long (6 or more characters, at least). To cover those types of passwords, WPA Cracker uses brute force attacks. Brute force attacks will try every possible combination of characters for as long or as short a password as you specify. It can start with single characters and work up to as many as needed. Brute force attacks can take a very long time, depending on the length and complexity of the passwords.

It doesn't matter how complex your password is if someone is willing to put unlimited time into brute forcing it, but security is never about making a position impenetrable, it's about making penetration so hard the enemy decides it's not worth the effort required.

When it comes to passwords, which is going to be harder to discover, whether using dictionary or brute force attacks:

password

Dr_Livingston_I_Presume

a3Ket9P3s*!k--i2@1)*k#cs?

Of course, that last is almost impossible to remember, so try to find a happy medium with your passwords. That will make you more secure than 98% of the rest of the world.

About Me

Herbert (Bert) Knabe Jr. is a blogger specializing in online
security, privacy and intellectual property. He has long been a fan of
Apple computers and occasionally writes on their products. Online since the mid '80s, he has been blogging on a variety of topics
including U.S. policy and online privacy/security since 2005.

He
has twenty years experience in the newspaper industry, initially as a
production artist, then as a computer technician supporting content
producers. This experience gives him a strong understanding of graphic
production for print and web.

Photography has long been a passion
of Bert's, and he was honored to have a photo included in the PDF
version of the 2011 Plus One Collection. He specializes in cell and
smart phone photography.

Bert lives and goes to church in Lubbock, Texas with his wife of twenty+ years and their five children.